PT-2026-44055

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.3 Description The removeSecrets function in the server SDK fails to mask datasource configuration fields unless their schema type is DatasourceFieldType.PASSWORD. Because the Snowflake integration defines the...

CVE-2026-40384

CVE-2026-40384 affects Joomla! Core — com_media webservice endpoint. The issue is improper validation of the search parameter in the com_media files API, enabling path traversal. Documented across NVD, CVE records, and security feeds; impact described as path traversal with high confidentiality i...

CVE-2026-9552

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been...

EUVD-2026-31829

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2026-9552

CVE-2026-9552 affects Das Parking Management System 6.2.0, specifically the Search API Endpoint. The vulnerability is a SQL injection triggered by manipulating the Value parameter, allowing remote exploitation. Public exploits exist. The vendor was contacted but did not respond. No remediation de...

CVE-2026-9552

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2026-9552 Das Parking Management System 停车场管理系统 Search API Endpoint sql injection

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2026-9552 Das Parking Management System 停车场管理系统 Search API Endpoint sql injection

A security flaw has been discovered in Das Parking Management System 停车场管理系统 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2026-9551 Das Parking Management System 停车场管理系统 API Endpoint ExportParkingRecords xp_cmdshell sql injection

A vulnerability was identified in Das Parking Management System 停车场管理系统 6.2.0. This affects the function xpcmdshell of the file ParkingRecord/ExportParkingRecords of the component API Endpoint. The manipulation of the argument Value leads to sql injection. It is possible to initiate the attack...

CVE-2026-9551

CVE-2026-9551 affects Das Parking Management System 6.2.0. The vulnerability resides in the API Endpoint’s ParkingRecord/ExportParkingRecords function, specifically the xp_cmdshell component, where manipulating the Value argument causes a SQL injection. It is exploitable remotely and the exploit ...

Das Parking Management System SQL注入漏洞

Das Parking Management System is a parking management system developed by Das Real Technology Co., Ltd. Version 6.2.0 of Das Parking Management System has a SQL injection vulnerability. This vulnerability arises from improper handling of parameters during the execution of code in the Search API...

CVE-2026-9466 Tiandy Easy7 Integrated Management Platform API Endpoint updateUserPassword password recovery

A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotel...

CVE-2026-9464 YunaiV yudao-cloud Admin API Endpoint create IotDataSinkHttpConfig server-side request forgery

A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit h...

EUVD-2026-31684

A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit h...

CVE-2026-9464 YunaiV yudao-cloud Admin API Endpoint create IotDataSinkHttpConfig server-side request forgery

A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit h...

yudao-cloud 代码问题漏洞

yudao-cloud is a backend management system for YunaiV individual developers. A code issue vulnerability exists in yudao-cloud version 2026.03, which originates from the function IotDataSinkHttpConfig operation in the file /admin-api/iot/data-sink/create in the component Admin API Endpoint, which...

JeecgBoot 授权问题漏洞

JeecgBoot is a Java low-code platform developed by Jeecg Corporation, designed for enterprise web applications. Version 3.9.1 of JeecgBoot contains an authorization vulnerability. This vulnerability stems from an unknown handling of files in the OpenAPI Endpoint component, which may lead to...

phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration

Summary An authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker...

GHSA-9QV9-8XV6-5P35 phpMyFAQ: Unauthenticated Password Reset Endpoint Allows User Enumeration and Forced Password Change Without Token Validation

Summary The password reset API can be triggered without authentication and without any out-of-band confirmation step. If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and...

CVE-2026-42099 Race Condition in Sparx Pro Cloud Server

Sparx Pro Cloud Server is vulnerable to a Race Condition in the /dataapi/dlinternalartifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location DIR under the specified name. An attacker with repository access...